DEF CON – Las Vegas 2011: Plenty of Hype and Substance

After attaining my badge, I made my first pit stop to catch “The History and Evolution of Computer Viruses,” hosted by Mikko Hypponen, a Chief Research Officer with F-Secure. Mikko gave an entertaining overview about viruses past and present. His presentation consisted of a few slides listing various virus names, backed with background and statistical bullet points into each. Mikko displayed great charisma and the speed of his delivery was on-point. At the end, I was surprised that there wasn’t more speculation from attendees about what the security sector can expect next in the wild.

After Mikko’s talk I ventured towards “The Art and Science of Security Research,” hosted by Greg Conti, an Academy Professor and Director of West Point’s Cyber Security Research Center in New York. Greg’s talk was very high-level, more generalized towards performing any kind of research, and not specifically about security. DEF CON promoted this lecture with the message that “Research is a tricky thing, full of pitfalls, blind alleys, and rich rewards for the individual and humanity.” The richest take-away message I got was his recommendation for individual researchers and entities of all sorts to publish their research regularly and openly across all media types.

Following lunch I caught the last half of the “Net Neutrality Panel,” whose presenters, mostly attorneys, demonstrated a commendable span of knowledge across both technical and legal matters. The panel covered how network neutrality has morphed from an abstract industry buzz word to FCC-enabled policy and what the future may hold. While highly informative, Q&A from the crowd seemed to get jammed up with opinion. I did appreciate one particular question about why the consumer dollar doesn’t seem to count as a vote to the providers themselves.

“Former Keynotes – The Future” followed. I was appreciative and enlightened by words from these former keynotes:

Rod Beckstrom – a high-tech entrepreneur, published author and CEO and President of ICANN

Jerry Dixon – the former Director of the National Cyber Security Division (NCSD) & US-CERT of the U.S. Department of Homeland Security

Tony W. Sager – the Chief of the Vulnerability Analysis and Operations (VAO) Group within the Information Assurance Directorate at the National Security Agency

Linton Wells II – a twenty-six year naval officer, distinguished Professor, Director of the Center for Technology and National Security Policy (CTNSP) and Force Transformation Chair at the National Defense University (NDU)

Learning about these esteemed individuals’ backgrounds and their current projects was entertaining and they were all poised speakers. The biggest message I took away was that people are the root of security, not the technology.

The room soon packed for “Malware Freak Show 3: They’re pwning er’body out there!” After being pushed uncomfortably to the edge of my already small seat by a hefty fellow, we watched a failure to spot the fed while waiting for the talk to begin. Nicholas J. Percoco, Senior V.P. and Head of SpiderLabs at Trustwave, and Jibran Ilyas, Senior Forensic Investigator at the same organization, took the stage. Their malware samples were interesting choices. Nicholas and Jibran demonstrated how malware targeted people and their identities in everyday situations–at work, at home, in one’s local grocer, and on mobile devices. I felt too much time was spent on visuals instead of digging deep into the true sources of the malware samples shared. Learning exactly how the malware samples were found, what they might have been packed with, what the reverse engineering process was like (Perl or ruby code, please?) or any other practical information that could be put to use would have been preferred.

I soon wandered over to listen to the “Familiarity Breeds Contempt” track, hosted by Sandy “Mouse” Clark, once a child prodigy of sorts within the hacker community, and Brad Haines (a.k.a. Renderman), also an active Whitehat by trade, Blackhat by fashion and published author. Being a developer myself, I looked forward to their dissection of the “Good programmers write code, great programmers reuse” truism as it related to the security sector. The two speakers stressed how abiding by this truism only taints all programming efforts in truly making things “secure.” Brad gave examples of vulnerabilities in WEP and its carry-overs into WPA. I also found their concept of extrinsic factors affecting the overall level of vulnerability rather than software quality quite intriguing.

Day Two

Day two at DEF CON started with the “Traps of Gold” talk by Andrew Wilson, Security Consultant at Trustwave’s SpiderLabs, and Michael Brooks, Security Researcher. The pair provided some great ideas about protective ways to even the playing field against automated vulnerability scanning and ways to counter attack. A few of the attendees expressed sentiments that the speakers’ suggestions were too extreme, such as getting rid of file name extensions on the server and returning 404 error messages for every web page even though normal content would be returned. I left wondering how this might translate into the Web in general.

Next I headed over to “Security When Nano Seconds Count” and was impressed with James “Myrcurial” Arlen’s slide on investing in learning how to become a good speaker. His talk about the custom systems used for market trading was eye-opening and accurately reflects the state of security today. When the markets get taken down by a lack of security I’m sure he’ll be the first to say, “I told you so.”

I caught the start of the “DEF CON Comedy Jam IV, A New Hope For The Fail Whale,” intended to showcase two hours’ worth of non-stop FAIL. One particular presentation was about failed efforts in making a wireless thermostat do what it was instructed. This was humorous at most.

I then decided to get some lunch instead of eating waffles made with Guinness while avoiding flying red rubber balls. One of many typical musings of DEF CON.

After being turned away from “Abusing HTML5” due to a full house, I resorted to “Sounds Like Botnet,” hosted by Security Art’s Itzik Kotler, Chief Technology Officer, and Iftach Ian Amit, V.P. Consulting. I grew fascinated with their lecture about a newer form of botnet command and control over VoIP, seemingly drawn from real bot samples in the wild. After demonstrating their Moshi Moshi bot and data to sound and back, applause erupted, as I bookmarked the pages so I can play with and dig into their code later. Cool stuff!

Finally, I caught “Phishing and Online Scam in China,” which exhibited how phishing has evolved in China past the typical attacks seen in other countries. While Joey Zhu, Staff Engineer at Trend Micro, was somewhat difficult to understand, I remained plugged to learn about potential new trends. As with all phishing in China, and worldwide for that matter, the scams follow the crowds. The bank of China, CCTV, Taobao and QQ all draw big user bases and thus are exploited much like big brands anywhere else.

Summary

Outside of the valuable tracks I was able to partake in, I spent in-between moments mingling with like-minded developers, researchers, analysts, hackers and other security professionals. Within these smaller groups, I was able to hold actual conversations about the state of web security in general, and also about the proprietary research and development I perform on the daily at zvelo, specifically how my work enhances the company’s automated malicious website detection technologies. My expectations of DEF CON lived up to all the hype and I ended my run with an arsenal of practical malware-busting knowledge. As such, I’ll likely request repeat DEF CON visits for many years to come.

Author: Joshua Rubin

Joshua Rubin has been with zvelo since 2007. A highly skilled developer and leader with deep experience and technical knowledge, Joshua specializes in a broad range of areas including scalable, high performance API architecture, web applications, mobile apps and back-end libraries. Performance, simplicity, security and design take a backseat to nothing in Joshua’s work.

For over 20 years, we have been delivering industry-leading URL Database, Web Categorization, & Malicious Detection solutions. We are proud to support some of the world's leading network security, antivirus, and ad tech companies who are helping to make the internet a safer place for all!